When the traffic from the remote site comes through the tunnel and then out to the internet, this will need to have NAT enabled for the internet access to work.
From zone will be the tunnel interface with the to zone fo untrust with source nat on interface enabled.